Siemens Discloses Local Privilege Escalation Bug in SCADA Gear

Siemens is warning customers of a local privilege escalation vulnerability that leaves over a dozen models of its SCADA equipment open to attack.

German engineering giant Siemens is warning operators of a local privilege escalation vulnerability that leaves more than a dozen models of its SCADA equipment open to attack. Some of the issues have been patched, or in other cases, Siemens has provided a workaround. The vulnerability was disclosed in an advisory issued by the Industrial Control Systems Cyber Emergency Response Team Tuesday.

According to the advisory, the vulnerability is in more than a dozen Siemens products including versions of its SINEMA Server, SIMATIC PCS 7, SIMATIC NET PC-Software and its Security Configuration Tool. The company said the vulnerable products are used in chemical, energy, food and agriculture and water and wastewater systems.

The vulnerability, the advisory warns, could allow authenticated local Microsoft Windows users to escalate their privileges if the affected Siemens products are not installed under their default path. The good news is the vulnerability is not exploitable remotely and crafting a working exploit for the flaw “would be difficult,” Siemens said.

Siemens explains that the impact of the vulnerability varies based on unique configurations of equipment, operational environment, architecture, and product implementation.

Mitigations include double-checking the installation of equipment to ensure products were installed under their default path (“C:\Program Files\*” or the localized equivalent). According to Siemens, if “the default file system access permissions for drive C:\ were not modified, the security vulnerability is not exploitable.”

Siemens offers software patches for eight affected product models including SIMATIC WinCC, SIMATIC NET PC-Software and SINEMA Server – to name a few. Temporary fixes are provided for most other Siemens gear.

Four products appear to fall out of the purview for either a patch or workaround. For specific versions of SIMATIC WinCC, SIMATIC PCS 7, SIMATIC WinCC Runtime Professional and SIMATIC WinCC (TIA Portal) Professional, Siemens suggests applying its temporary fix and “strongly recommends users protect network access to engineering workstations and project storage with appropriate mechanisms.”

Lastly, for all other products vulnerable to this flaw, Siemens said it is “working on new versions to incorporate the temporary fix for the remaining affected products and will update SSA-701708 when new information becomes available.”

The local privilege escalation vulnerability was reported directly to Siemens by firms Watersure and IT consultancy Kiandra IT. There is no known public exploit of the vulnerability, according to Siemens.

Suggested articles